From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Q3Dhg-0008M8-Qb for garchives@archives.gentoo.org; Fri, 25 Mar 2011 20:33:53 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A043B1C0B4; Fri, 25 Mar 2011 20:33:43 +0000 (UTC) Received: from rrzmta1.uni-regensburg.de (rrzmta1.uni-regensburg.de [194.94.155.51]) by pigeon.gentoo.org (Postfix) with ESMTP id 689AB1C090 for ; Fri, 25 Mar 2011 20:33:17 +0000 (UTC) Received: from rrzmta1.uni-regensburg.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 9785F1E89 for ; Fri, 25 Mar 2011 21:33:16 +0100 (CET) Received: from grenadine.localnet (pc59050.uni-regensburg.de [132.199.102.87]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: hua59129) by rrzmta1.uni-regensburg.de (Postfix) with ESMTPSA id 9153D1E27 for ; Fri, 25 Mar 2011 21:33:16 +0100 (CET) From: "Andreas K. Huettel" To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Re: rejecting unsigned commits Date: Fri, 25 Mar 2011 21:33:22 +0100 User-Agent: KMail/1.13.6 (Linux/2.6.36-gentoo-r5; KDE/4.6.1; x86_64; ; ) References: <201103252050.13759.dilfridge@gentoo.org> In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2236682.OUU3AGNfYl"; protocol="application/pgp-signature"; micalg=pgp-sha512 Content-Transfer-Encoding: 7bit Message-Id: <201103252133.27978.dilfridge@gentoo.org> X-Archives-Salt: X-Archives-Hash: 77b9858f5754380a860266f24e6ac09e --nextPart2236682.OUU3AGNfYl Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable > > So what sort of identity do you want to verify? Seriously, at the momen= t when I got my commit bit, noone from Gentoo had ever met me in person, an= d for sure noone had ever had a look at my passport or any similar legal do= cument. The only established connection was my preexisting gpg key, which w= as then coupled to my gentoo account. >=20 > and no where do we require you to generate a gpg key bound to the > Gentoo e-mail address. we require you to provide a gpg key only. > like you said *right here*, we have 0 information to identify you, and > using a Gentoo e-mail address adds *nothing* to that. so why add a > completely useless requirement ? Because, pointing out the obvious, the key can contain all sorts of random = true or false information. I could have an user id saying "Barack Obama ".=20 To be able to do key validation based on gpg's mechanisms, an userid needs = to be signed. As e.g. Scarabeus and Wired can confirm, I'm definitely not B= arack Obama, but for less obvious cases the validity of the provided identi= ty may be unclear. Now, if I add an userid "" to my key, this userid doe= s not contain any information that is not already verified and "in the Gent= oo infra data". So, this one userid could be signed immediately by a centra= l instance without any further fuss. It's imho not a hard requirement, but it considerably eases administration.= So why not require it for devs? > > As for proxy maintenance, isn't the whole point of that that the proxie= d maintainers are not devs and do not have (commit access | a gentoo.org us= er id)? I do not understand how this would prevent proxy maintenance. >=20 > uhh, you already pointed out how -- git. if i pull updates from a > proxy maintainer, it's going to have his signing. Point taken... =2D-=20 Andreas K. Huettel Gentoo Linux developer - kde, sci, arm, tex dilfridge@gentoo.org http://www.akhuettel.de/ --nextPart2236682.OUU3AGNfYl Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iQIcBAABCgAGBQJNjPwXAAoJEEb+UGWnxTyH2tcQAJ6ClDdL/fUXsEUKs27nww36 IxnuzTCBygps9m/z1+3ROj4peAsbEzsEaKi2IWqF/fb4yf2H8dzqnxhGL1Ui77jr 7Kftlklb301siL9WncEWf6uhgaUP6VChmruPpAL6ERHSXcV6Z9HegMJgHWsfXk93 vOCXHzr3EXcn7czzD6xTAsvOwJ6rEe+iwILmv3sZ0PILXeDGMFjclSwrm3qpJKSZ utKqGPHYgJV0k9VhcAMSDC0zg5XTqXJbB2qTw4qwhNCE6MJbQiHy1LZNQvg7iCiy ob30rHHnJsLUuuBs8Ux0xZHS6/SSFdfy15Wa+v/8Xd4eT/bsDC8JgiFB22h5XLN5 K8Ed+B7uKFIu7+/AuL5OOl8Z5z65bAnvz7nu5aGYKRumwP/tVaj6N7dsOobmh+AA zVnS2KxE6t/UI6vVx3xmoLiM7GOY40x5sVE4bG8TCrRRdlO0owwWEQT9aQaAXD0T x6puu6Sxg3EY3qbJy8RQmgY1+2H/JtkGB8UBhSUx5ieZiu74xovo3a2B7xFllM0V XEbPQpLG8ppDL+pvdnEFLXAGcYzwzF7gfhpkic/2GkA+SkBmfG2xt7u3og21TPbR lvlnF7J/TOaJ++dLv6UYv3AOJESnC3wTFSL2ITZBfdDO01J74bmDqD7b07aCmIAR GXkQvYxFvN9CXn6lTE4M =rweM -----END PGP SIGNATURE----- --nextPart2236682.OUU3AGNfYl--